Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google redirects... Combofix didn't work

  • This topic is locked This topic is locked
3 replies to this topic

#1 Greattornick


  • Members
  • 2 posts
  • Local time:07:51 PM

Posted 05 September 2010 - 04:39 AM

Hi, in these days I'm dealing with a nasty google redirect infection that prevents me from correctly viewing the results of my searches, it is impossible to visit certain pages that involve antimalware programs and often it prompts me with a fake scan of my c drive and with warning of various infections. I'm running windows xp sp2 on a compaq 6820s. Thanks in advance for your help. Here are the reports you may need.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 11.23.46,89 on 05/09/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2047.1255 [GMT 2:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programmi\TomTom HOME 2\TomTomHOMEService.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\PDF Complete\pdfsty.exe
C:\Programmi\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programmi\Hp\HP Software Update\HPWuSchd2.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\File comuni\LightScribe\LightScribeControlPanel.exe
C:\Programmi\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Programmi\TomTom HOME 2\TomTomHOMERunner.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\AceLogix\Free Ram Optimizer\fro.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Documenti\Download\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=74&bd=smb&pf=laptop
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=74&bd=smb&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=IT_IT&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\programmi\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programmi\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programmi\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\programmi\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [LightScribe Control Panel] c:\programmi\file comuni\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [uTorrent] "c:\programmi\emule\utorrent\uTorrent.exe"
uRun: [DAEMON Tools Lite] "c:\programmi\daemon tools lite\DTLite.exe" -autorun
uRun: [VeohPlugin] "c:\programmi\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [TomTomHOME.exe] "c:\programmi\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Free Ram Optimizer] c:\programmi\acelogix\free ram optimizer\fro.exe
uRun: [Skype] "c:\programmi\skype\phone\Skype.exe" /nosplash /minimized
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAXPnP] c:\programmi\analog devices\core\smax4pnp.exe
mRun: [StartCCC] c:\programmi\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [PDF Complete] "c:\programmi\pdf complete\pdfsty.exe"
mRun: [PTHOSTTR] c:\programmi\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [SynTPEnh] c:\programmi\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\programmi\java\jre6\bin\jusched.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [HP Software Update] c:\programmi\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\programmi\hewlett-packard\default settings\cpqset.exe
mRun: [WatchDog] c:\programmi\intervideo\dvd check\DVDCheck.exe
mRun: [ZoneAlarm Client] "c:\programmi\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\programmi\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [QuickTime Task] "c:\programmi\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmi\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\programmi\file comuni\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\bttray.lnk - c:\programmi\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\menuav~1\progra~1\esecuz~1\dvdche~1.lnk - c:\programmi\intervideo\dvd check\DVDCheck.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - c:\programmi\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {4B21E152-BA59-4ebf-B522-8C55B265EE1A} - c:\programmi\partyitalia\partypokerit\RunApp.exe
IE: {C4046502-6524-4d87-896C-878F57D1FF07} - c:\programmi\pokerstars.it\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fileco~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\programmi\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: DeviceNP - DeviceNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\programmi\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\programmi\file comuni\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\datiap~1\mozilla\firefox\profiles\4in0jb8a.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmi\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

c:\programmi\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmi\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\programmi\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\programmi\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\programmi\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmi\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmi\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\programmi\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmi\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\programmi\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmi\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programmi\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmi\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmi\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmi\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

2006-07-05 10:56:03 158658 --sha-r- c:\windows\system32\nlknjl.dll

============= FINISH: 11.24.39,96 ===============


DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 19/12/2009 19.43.50
System Uptime: 09/05/2010 11.11.15 (2856 hours ago)

Motherboard: Hewlett-Packard | | 30D7
Processor: Intel® Core™2 Duo CPU T5670 @ 1.80GHz | U10 | 1795/200mhz
Processor: Intel® Core™2 Duo CPU T5670 @ 1.80GHz | U10 | 1795/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 222 GiB total, 147,506 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 0,416 GiB free.
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 02/09/2010 22.17.01 - Punto di arresto del sistema
RP2: 03/09/2010 10.36.40 - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================

==== End Of File ===========================

RkUnhooker report generator v0.7
Rootkit Unhooker kernel version: 3.7.300.509
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFB05000
Size: 3067904 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF60B6000
Size: 2572288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
Address: 0xF5DFD000
Size: 2211840 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2146304 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2146304 bytes

Driver: RAW
Address: 0x804D7000
Size: 2146304 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2146304 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1847296 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFDF2000
Size: 1552384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Address: 0xF66A6000
Size: 1163264 bytes

Driver: C:\WINDOWS\system32\DRIVERS\btkrnl.sys
Address: 0xF5C5D000
Size: 851968 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xB5F7C000
Size: 815104 bytes

Driver: iaStor.sys
Address: 0xF713E000
Size: 815104 bytes

Driver: jafnmbkd.sys
Address: 0xF7280000
Size: 815104 bytes

Driver: C:\WINDOWS\System32\vsdatant.sys
Address: 0xB923E000
Size: 589824 bytes

Driver: Ntfs.sys
Address: 0xF7056000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\drivers\btaudio.sys
Address: 0xF56EC000
Size: 524288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Address: 0xF5D82000
Size: 503808 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB9161000
Size: 454656 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA1B000
Size: 450560 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF5BAB000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB9317000
Size: 360448 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB3768000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA89000
Size: 331776 bytes

Driver: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Address: 0xF63D6000
Size: 299008 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000
Size: 286720 bytes

Driver: C:\WINDOWS\system32\DRIVERS\e1e5132.sys
Address: 0xF6061000
Size: 266240 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB338F000
Size: 266240 bytes

Driver: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF5D50000
Size: 204800 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF5C04000
Size: 200704 bytes

Driver: C:\WINDOWS\system32\drivers\RMCast.sys
Address: 0xB38AA000
Size: 200704 bytes

Driver: ACPI.sys
Address: 0xF7358000
Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB3AA5000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xF7029000
Size: 184320 bytes

Driver: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBFADA000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB91D0000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB10E7000
Size: 172032 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB92EF000
Size: 163840 bytes

Driver: dmio.sys
Address: 0xF721D000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF6019000
Size: 151552 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF56C8000
Size: 147456 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB6043000
Size: 143360 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF5D2D000
Size: 143360 bytes

Address: 0xF603E000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB921C000
Size: 139264 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB92CE000
Size: 135168 bytes

Driver: C:\Programmi\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xB91FB000
Size: 135168 bytes

Driver: ACPI_HAL
Address: 0x806E3000
Size: 134272 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E3000
Size: 134272 bytes

Driver: fltMgr.sys
Address: 0xF711F000
Size: 126976 bytes

Driver: ftdisk.sys
Address: 0xF7243000
Size: 126976 bytes

Driver: C:\WINDOWS\system32\DRIVERS\btwdndis.sys
Address: 0xB6066000
Size: 122880 bytes

Driver: pcmcia.sys
Address: 0xF7262000
Size: 122880 bytes

Driver: Mup.sys
Address: 0xF700E000
Size: 110592 bytes

Driver: C:\WINDOWS\system32\drivers\AEAudio.sys
Address: 0xF63BE000
Size: 98304 bytes

Driver: atapi.sys
Address: 0xF7205000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF70F6000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF5C46000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB3B1F000
Size: 86016 bytes

Address: 0xF60A2000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB936F000
Size: 77824 bytes

Driver: WudfPf.sys
Address: 0xF70E3000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\drivers\mqac.sys
Address: 0xB397B000
Size: 73728 bytes

Driver: sr.sys
Address: 0xF710D000
Size: 73728 bytes

Driver: pci.sys
Address: 0xF7347000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF5C35000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\btwusb.sys
Address: 0xB96AE000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB3510000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF76F7000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7637000
Size: 61440 bytes

Driver: ohci1394.sys
Address: 0xF7487000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7527000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB964E000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF75C7000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF76C7000
Size: 57344 bytes

Driver: VolSnap.sys
Address: 0xF74C7000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF7497000
Size: 53248 bytes

Address: 0xF74E7000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF7547000
Size: 53248 bytes

Address: 0xF76D7000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF651F000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF76E7000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF74B7000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF652F000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF76B7000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF75D7000
Size: 40960 bytes

Driver: PxHelp20.sys
Address: 0xF74F7000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF64FF000
Size: 40960 bytes

Driver: disk.sys
Address: 0xF74D7000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB968E000
Size: 36864 bytes

Address: 0xF7537000
Size: 36864 bytes

Driver: isapnp.sys
Address: 0xF74A7000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF650F000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB969E000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB96BE000
Size: 36864 bytes

Driver: C:\Programmi\CheckPoint\ZAForceField\ISWKL.sys
Address: 0xF7817000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF773F000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF779F000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7837000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\btport.sys
Address: 0xF632A000
Size: 28672 bytes

Address: 0xF785F000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7847000
Size: 28672 bytes

Address: 0xF7707000
Size: 28672 bytes

Address: 0xF77EF000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7857000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF784F000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xF786F000
Size: 24576 bytes

Driver: C:\Programmi\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBA67A000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF782F000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77DF000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
Address: 0xF783F000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF7777000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF770F000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF6372000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF636A000
Size: 20480 bytes

Address: 0xF7867000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xB693B000
Size: 20480 bytes

Address: 0xF789F000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF67DE000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF6543000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF6563000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB9CD7000
Size: 16384 bytes

Driver: ACPIEC.sys
Address: 0xF78A3000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000
Size: 12288 bytes

Driver: compbatt.sys
Address: 0xF789B000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
Address: 0xF67E2000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB6CB7000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB7923000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB791F000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF67D6000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xEB01C000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\drivers\VCdRom.sys
Address: 0xF7957000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xF67DA000
Size: 12288 bytes

Driver: aliide.sys
Address: 0xF798F000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xB9AC3000
Size: 8192 bytes

Driver: dmload.sys
Address: 0xF7991000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xB9AC5000
Size: 8192 bytes

Driver: intelide.sys
Address: 0xF798B000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xB9AAB000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xB9AA9000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79D1000
Size: 8192 bytes

Address: 0xF79CF000
Size: 8192 bytes

Driver: viaide.sys
Address: 0xF798D000
Size: 8192 bytes

Address: 0xF7989000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7AE9000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B7E000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB9A0D000
Size: 4096 bytes

Address: 0xF7A50000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7A4F000
Size: 4096 bytes

Driver: unknown_irp_handler
Address: 0x8A676920
Size: 1760 bytes


BC AdBot (Login to Remove)


#2 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 PM

Posted 13 September 2010 - 04:14 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Download DDS and save it to your desktop


    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 PM

Posted 16 September 2010 - 12:53 PM


three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr


    Bleepin Gringo

  • Malware Response Team
  • 136,772 posts
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:51 PM

Posted 18 September 2010 - 11:26 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.

With Regards,

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users